In our anterior to article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and veiling. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of intelligence that, when out in the wild, become valuable nuggets to be used against you in a public engineering attack.This last installment in our ICS/SCADA series shows how communal engineering was used to cause a blackout, the first known case of a cyberattack being shortly responsible for a power outage.On December 23, 2015, at 3:35 pm local time after time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in painstaking proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were random for three hours.The power outage, which took out 30 substations, could clothed impacted up to three different energy distribution companies, causing 225,000 chaps to lose power. Shortly thereafter, Ukraine’s SBU state security accommodation responded by blaming Russia, not an unreasonable assertion given that great deal of lead time was required to conduct this operation.How was this earmarked to happen?Social engineering is how. It all started with a spear-phishing attack utilize consuming spoofed address that made it seem as though the emails were rush at from the Rada, the Ukrainian parliament. Rejecting such an email is again a tough proposition for any employee, and in certain social structures, ignoring an email from parliament could issue in some unpleasant misfortune.So, what happens? The employees open up the email, establish an attachment, allow a macro to compile, and all nastiness breaks loose. After start the email, using a manipulate Office document (screen capture lower down, credit: CyS Centrum), the user is asked to allow a macro to compile.Here be relevant to the nastiness: variants of the BlackEnergy malware start to infect the system. This community engineering step is crucial for the attackers to gain a foothold in the system. And this is methodically what happened over the next six months.
Once the malware was on the method, authorized users started to lose control of administrative passwords and indulgences, leading to even bigger problems like allowing the attackers to manage their way to critical systems, such as Uninterruptable Power Supplies (UPSs) and managerial control systems like Human Machine Interfaces (HMI).And just to be unwavering, a variant of the KillDisk malware was installed onto the systems, as well, potentially as a suggests to hide the tracks of the malicious user.The Simplest Solution May Be Most EffectualWhat’s the lesson here for ICS/SCADA systems? Well, it is that the danger is at our doorstep, and sometimes it is as simple as asking: should I click on the link or advertise the attachment?Our general view is, if in doubt, don’t! Cats have nine glows to be curious with – your computer systems and devices don’t.You see, our view is that if you can stop the initial phishing, spear-phishing, or pretexting attacks, the likelihood of a successful paroxysm greatly diminishes. Admittedly, it is only a theory we have and one that can just be proven with an incredible amount of red team testing to be proved preferable. But there are strong indicators to support our theory.For example, the Verizon DBIR famous in our previous installment that phishing and pretexting combined represented on the verge of 98 percent of incidents and breaches that involved social conduct. From the same report, 88 percent of pretexting attacks were being carried out via email. We’re happy to put some money on the fact that there’s a fire with all this smoke.This is why we suppose that the first critical step to protecting the grid is employee exercising on social engineering attacks and social media use. We list a few other climaxes below, but really, without employee training, we see this as a loss straight out of the gate. It’s like trying to win a football game by only throwing antiques for 20 yards.Sure, you’ll make the occasional big gain, but you’re leaving docile yards on the field for no good reason. And the defense will know to in any case play zone against you. It’s just a matter of time before you be defeated and lose often if you stick with the same failed strategy.How to Reprieve in the GameHere are our quick tip employee training suggestions that we judge will give you a fighting chance to not only stay in the game but uniform with win:1. Have real and on-going employee training.“One-offs” online assemblies that an employee does during a 10-minute coffee break are huge for the vendors. Not so great for you. Spotting suspicious emails is an exercise in muscle respect. Find a provider that can specifically tailor a training program to your set out or facility and make the training ongoing. There’s plenty of evidence that this tactics can substantially reduce your risk.2. New York City mantra: see something, say something.Let your IT certain if you’re seeing suspicious emails or if you feel you’re caught up in a social engineering decompose. Have the ability to track logs if something feels off, as this dope is vital to threat intelligence gathering. By letting your IT department understand something feels off, some easy adjustments to filters can do the trick. In other situations, your heads up could help the IT department block a potentially bad IP give a speech to from trying to communicate with the enterprise.3. Sharing is caring.Criminals get under way within industry verticals, so even working with competitors here can follow the industry safer as a whole. You can still be business competitors and still partition threat intelligence under the Cybersecurity Information Sharing Act.4. Pick up the phone.If you’re unsure an email is by law, take the 30 seconds to call your colleague, friend, or species member and say, “did you really send me this?” That call could release you millions of dollars, your job, and avoid an avalanche of bad PR.5) Red team test your workers on a regular basis.Better to have a good learning experience and adapt to accordingly instead of having to publicly say “Senator, we didn’t really blueprint for this even though we knew this type of threat prevailed.”What do all points have in common? They’re all about you. Social architecting is about you and getting at you at a personal level. And before people start ignoring up and down that we are just trying to spread paranoia, ask yourself, what’s steadier: some sophisticated computer attack or fooling somebody with a coerce scam? Criminals go for the path of least resistance.If you’ll notice, many of the suggestions we mentioned are cost-effective and easy to implement. We’re trying to “up your cyber street aches” game here.Extra Time: Some Bonus TipsWhile the spur of this series was to get you thinking about social engineering and what affect they could have on ICS/SCADA systems, we have some other agile tips worth considering. They are:1. Review ICS/SCADA security architecture.Use well-informed and qualified ICS security professionals to review network architecture, VPN configuration, firewall disposition, router controls, and all that other tech garble you may not understand but is at the end of the day important. There may be gaps there that need to be filled.2) Intensify network security monitoring capabilities.Yes, some attacks are sophisticated, well thought out, and operate in stealth. You need robust log collection and networking traffic proctor. Failure to perform these essential tasks prevents timely learn ofed, pre-emptive response, and accurate incident investigation. Artificial Intelligence and Contraption Learning will likely play an increased role here more than time, but you still need a human at the helm to keep an eye on what is usual on.3) Review and update incident response, business continuity, and crisis communication envisions.Utilities are used to outages and are very capable of responding to those caused by rise above or equipment failure. There has been a lot of practice and lessons learned here, but cyber perils are a new animal and need more of our attention as a normal course of business. Projects need to cover nightmare scenarios like protocols for wiper malware and ransomware. In the air the Authors:Paul Ferrillo
is counsel in Weil’s Litigation Department, where he zero ins on complex securities and business litigation, and internal investigations. He also is section of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses fundamentally on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory things relating to their cybersecurity postures and the regulatory requirements which steer them.George Platsis
has worked in the United States, Canada, Asia, and Europe, as a physician and an educator and is a current member of the SDI Cyber Team (www.sdicyber.com). For over 15 years, he has come to c clear up with the private, public, and non-profit sectors to address their crucial, operational, and training needs, in the fields of: business development, risk/danger management, and cultural relations. His current professional efforts focus on human element vulnerabilities related to cybersecurity, information security, and data security by uncoupling the network and information risk areas.
Editor’s Note: The opinions voiced in this guest author article are solely those of the contributor, and do not unavoidably reflect those of Tripwire, Inc.